Roundtable: The state of mobile access control

July 20, 2016
Industry experts weigh in on how the technology has progressed in the market

Unlike video surveillance, which seems to always be on the verge of the next great technological breakthrough, access control remained largely unchanged until the tail end of the last decade when sales of smartphones began to take off around the globe. The proliferation of the smartphone has not only revolutionized how people communicate and interact with the world around them, but it has introduced a paradigm shift for numerous industries including security.

The capability to interact with a security system via a mobile device is no longer a "nice to have" feature but is an expectation among end-users. Moving from the world of physical access cards to mobile credentials, however, has been fraught with challenges, many of which the industry is still working through. Despite the hurdles that remain, nearly everyone recognizes that mobile is the future of access control and with each passing year, the technology moves that much closer to gaining more widespread adoption.

The technology has become so mature, in fact, that companies have begun looking beyond just smartphones to integrating wearables, such as smart watches and health and fitness trackers, into the mobile access control ecosystem. Given how far mobile access solutions have come, (SIW) recently convened a panel of industry experts to get their take on some of the obstacles the technology must still overcome as well as when it may eventually overtake physical access cards as the de facto standard for the market.

SIW: Has the industry finally reached a point where it can overcome some of the obstacles that slowed the adoption of mobile access control in the past? (i.e. the lack of NFC capabilities on some smartphones, particularly the iPhone?)

Alexander Derricott, market analyst, digital security and access control, IHS: The technology and end-user understanding are ready for mobile credentials. The current projects are moving from the pilot stage to implementation. The feedback from the market suggests that more and more end-users are demanding the inclusion of this technology in their projects; maybe not for immediate use but as a way of future-proofing their systems.

The NFC problem still has not been solved as Apple has not allowed third parties to use the NFC secure element, but the industry has got around this problem by moving towards Bluetooth Low Energy. The major challenge that will immediately affect the development of mobile credentials will be getting the compatible hardware installed as end-users can be reluctant to upgrade a reader part way through its lifecycle.

Frank Gasztonyi, co-founder and CEO, Mercury Security: There are a number of factors that influence the choice of the access control credential. One has to consider that the security of mobile devices is dependent on outside entities. Unlike traditional access and identification credentials, they are not controlled or necessarily administered by the security department. Many end-users may see the current use of mobile devices for online banking and payment transactions as proof of their viability for secure access applications; they also find the high-tech option of mobile devices appealing.  In these scenarios, using Bluetooth instead of NFC addresses part of the adoption issue, which also includes ensuring an organization’s reader infrastructure supports mobile access. It is a different story at the panel level because the user identification utilized by Authentic Mercury hardware is not dependent on the credential type. An organization can change the credentials and readers to suit their needs and the Mercury open platform will support a diverse mix of phones, cards and readers as requirements change over time. 

Peter Boriskin, vice president of product management, ASSA ABLOY Americas: Yes, we believe there are two ways this is being done. First, some of the “smart technologies” that are available are now leveraging a wireless agnostic approach. At ASSA ABLOY, our Seos platform gives us the capability to support all platforms so we don’t have to worry about the capabilities of a specific phone.

Additionally, I believe we have moved past many of the questions surrounding mobile security that slowed initial adoption. There is now a broad level of familiarity with using our phones for more than just making calls and checking email. Today many vending machines support use of a phone to make a purchase and we also see broad adoption for cashless payments in banking and retail. Since Apple added NFC support (for mobile payments) it has added veracity to the claim that mobile is going to continue to grow as a platform and its applications will continue to expand.

Mitchell Kane, president, Vanderbilt Industries: The adoption of mobile credentials has been slow; however there is a growing interest from enterprise-class organizations that need to allow access to various locations on demand. IHS recently predicted that interest in mobile credentials will rise rapidly in the next few years, with a growth rate of 140 percent by the year 2020. It also predicts that 20 percent of all credentials will be mobile by the same year, with the most demand coming from the government, commercial and education markets. As manufacturers, we must look for ways to incorporate their use into access control solutions and this is a focus we are actively engaging in.

There are already a number of manufacturers that offer control through mobile devices, such as smartphones, iPads or tablets. These applications allow security officials to control systems remotely without client software in place, which gives enterprise organizations the flexibility to provide access control in a constantly changing environment as long as they have access to the Internet.

SIW: Along with that, what kind of mobile access control methodologies do you believe will be the most prevalent in the coming years – NFC, Bluetooth or a combination of the two?

Derricott: Very hard to tell, but at the present moment suppliers are investing in both technologies. It started out with NFC being the method of choice but, as the likes of Apple didn’t embrace the technology, access control suppliers turning to Bluetooth and Bluetooth Low Energy. The issue is that NFC is currently gaining the most traction when it comes to adjacent industries, especially payment, and it could be confusing for the end-user to have to change technologies.

The big question is what Apple will do going forward. If Apple opens up the NFC secure element to everyone or even just to specific access control suppliers then we could see the industry shift rapidly back towards NFC. The most interesting scenario that could potentially happen is that Apple takes a more direct approach and actually enters the market with an app in order to bolster its smart home offering.

Gasztonyi: In essence, the answer to this question will be based on the device functionality offered by the mobile phone manufacturers, and the access control industry will find a way to support devices that are in high demand.  At one point, NFC was seen as having strong potential; however, it will continue to lag behind Bluetooth until it is supported by all major smart phone manufactures (including Apple) for a broad range of applications.

Boriskin: This is going to be dictated by the banking market and cashless transactions. Right now there is certainly support for NFC in the retail market yet nearly every mobile device today supports Bluetooth for everything from wireless speakers to hands free calling in cars. Our approach is simply to support all platforms with Seos as it’s not realistic to just get behind one platform and expect there to be no further shifts in the market.

Kane: Recently, the Security Industry Association (SIA) started working on standards to define the use of focusing on Bluetooth credentials in the security market. The Bluetooth Low Energy standard is designed to streamline interoperability between mobile credentials, such as phones, wearables, etc., and readers. The standard would help promote the growth and use of mobile credentials in a variety of applications that use Bluetooth. As the industry becomes more accustomed to adopting these standards, more methodologies will be explored and standards set to help access control providers drive greater options for customers.

Scott Sieracki, CEO, Viscount Systems: We will most likely see a combination of NFC and Bluetooth adoption as a result of efforts to customize access control to end-user and integrator preferences. These technologies allow for quick authentication and easy integration with other security systems, but the rigor of their cybersecurity standards has yet to be determined as we move toward larger scale usage.

SIW: When looking at wearables, what types of devices do you believe will see the most traction with regards to access control? Will it primarily be smart watches?

Derricott: Watches or bands. The convenience factor of having your key on your wrist will be pretty high. Bands are becoming cheaper and more technology is getting put on them, so they seem like a key part of the wearables market going forward. Smart watches didn’t see the growth in 2015 that the IHS wearables team was expecting but that could change in 2016. Overall, mobile credentials on wearables is a logical step for access control but that market depends on how well smartwatches and bands do rather than any access control specific factor.

Gasztonyi: Mobile device manufacturers and applications will continue to drive interest and adoption of wearable devices. For example, Gartner has forecasted that smart watch adoption will grow by 48 percent between 2015 through 2017, largely due to Apple popularizing wearables as a lifestyle trend.

Boriskin: ASSA ABLOY has started supporting some wearables. Android and Apple Watches can be supported by our Seos platform. With the continued uncoupling of smart watches from our phones, I believe we will see increased adoption. Mobile is driven by convenience and wearables will be driven by people who are already comfortable with the technology and the added convenience they can provide.

We are also looking at leveraging lower cost wearables for specific applications. Right now we have a wristband with RFID technology that allows you to provide a credential in an inexpensive platform without having a smart watch.

Kane: In addition to smart watches, there are a number of wearables starting to trickle into the market, such as tracking tags that are used within the healthcare industry for patients with dementia or to keep patients in nursing homes within a certain approved area. We will also see bracelets and perhaps rings that allow access using NFC. The important thing to note is that wearables have to fit into daily life to enable users to easily remember the device. Only then we will see the positive effects and an increase in adoption.

SIW: Do you believe the introduction of wearables into access control will also introduce new modalities of authentication? For example, Bionym introduced the Nymi wristband a few years back that used a person’s unique heartbeat to verify their identity. Will more solutions like this make their way into the market and will they be viable?

Derricott: More and more sensors are getting put onto wearables. It is very likely that new identifiers will be developed that will have a huge impact on not just access control but a range of other industries. There will be new technologies and some will be viable but as to which ones or when; it is very unclear.

Gasztonyi: The introduction of wearables may certainly add new options for authentication but the timing from concept to adoption is the true question. Our insights from end-user customers, integrators, consultants and major access control OEMs point to the fact that access control cards issued and managed by the security department will remain the primary credential form factor for years to come.  While smartphones and wearables are at the forefront of conversations in the market, actual adoption is still a slower process. This is consistent with the access control market in general, which has proven over the years to be sluggish in the adoption of new technology.  For example, proximity technology is still a popular credential choice when numerous technologies are now available that provide more functionality and security.

Boriskin: When you examine the sensing technology that is now available in wearables it begs the question what are you going to do with it? There is no reason not to take advantage of the information to provide a more secure authentication. With so much information being built into mobile technology it will eventually be an additional resource we can use to enhance security.

SIW: Speaking of biometric identifiers, will companies be able to leverage technologies similar to Apple’s Touch ID for mobile access control applications in the future?

Derricott: It would be a great way to include some form of biometrics into a system and while maybe not providing the same level of security as an iris scanner, not having the upfront cost of a hardware install would definitely be an attractive proposition.

Gasztonyi: We all hope so. Mercury has been a long-time supporter of adding biometrics to the authentication mix, and our Authentic Mercury hardware is built on an open platform that supports OSDP to make it possible to integrate biometrics in an access control environment.   Out of the three basic models for deploying biometrics – the WEDGE, integrated, and match-on-card– Mercury advocates the use of the integrated model to ensure the highest level of security, flexibility and interoperability.  The integrated model includes three components:  the access control system software that obtains biometric templates for each user during the enrollment process, the access control panel capable of storing and managing biometric templates, and the biometric reader which implements the OSDP Biometric Profile.  An integrated approach using OSDP eliminates the need for either readers or credentials to contain biometric templates for each user.  This reduces potential vulnerabilities inherent to storing biometric data in the readers or cards.  In addition to providing “more security around the security” it also offers greater flexibility over the WEDGE and match-on-card models.

Boriskin: The technology is available now but we need to address the privacy concerns of using a personal device with identifiable biometrics. There is still a lot of work that needs to be done to address privacy concerns and fair use around personal data. An employer isn’t necessarily asking for this data, but by deploying certain credentials they could be unknowingly taking responsibility for it without realizing it.

For example, think of a hospital or assisted living setting where this technology could be used. With HIPAA requirements to protect individual data, there could be potential issues. In our current bring-your-own-device world, how organizations deal with privacy concerns and data protection are critical issues that need to be addressed comprehensively.

Kane: I think biometric authentication is the next wave of access control applications, combining traditional access control, such as a card or mobile device, with a password and biometrics. This approach is quickly gaining steam as enterprises look for new ways to protect critical data and assets from internal and external threats.

SIW: What kinds of challenges still remain for mobile access control solutions to become a bigger part of the industry?

Derricott: The installation of the capable readers will be one of the big challenges. It may take five years for the entire current installed base to be upgraded. The security implications arising from bring-your-own-device could lead to end-users rejecting the technology, for example, if their smartphone becomes infected via a non-work related application.  So far, however, industry feedback suggests that end-users are not so concerned around the BYOD issue.

Gasztonyi: Some of the main challenge areas will continue to be around standardization of mobile devices used in the enterprise. The bottom line is that we will use what the market creates in abundance.  Facility managers and IT security teams must come together to weigh the value of adding mobile access functionality to a variety of personal devices over the cost and importance of standardizing on a single mobile device platform.  In this regard, it will be key to adhere to a sound security policy, which should include steps for validating an authentic, untampered device.  If such a validation process is not feasible at this stage of mobile access adoption, the policy should at minimum incorporate a list of approved brands or devices that qualify for use within an organization’s access control system.   

Boriskin: First, the rules of engagement are still being sorted out. The other part is getting some level of commonality around support for mobile. The issue will become, how do we create a sustainable solution going forward? There are many different manufacturers out there right now creating their own solutions to address specific applications and it is uncertain whether they will all work together.

Kane: The security of devices will continue to be a factor in the adoption of mobile credentials. Although we’ve seen instances where even the FBI couldn’t hack into a password-protected iPhone, everyday users may not enable this type of protection to their phones. Enterprises must mandate certain security parameters are followed in regards in mobile solutions; otherwise, it can leave the door open to allow an unauthorized person to access a site or building. The threat landscape is constantly changing, and organizations must keep up with the challenges and security of the devices being used in access control solutions.

Finally, complicating matters a bit further are the multiple ways that mobile credentials are being used – for example, for banking and financial transactions – so access control credentials are not the only thing at risk when a mobile phone is stolen. Security device providers are constantly trying to determine what vulnerabilities may be on the horizon and find solutions to mitigate these risks. But if mobile credentials become mainstream, users also will need to take basic steps to protect themselves, such as installing anti-virus software, downloading updates immediately and following their company’s security policies to a tee.

Sieracki: The biggest challenge facing the access control industry when it comes to activating mobile devices is the fact that many current or traditional access control systems still rely heavily on stationary panel hardware. These systems have a much harder time integrating with software-based solutions, especially the kind installed on mobile devices.

SIW: At what point in time will smartphones become the de facto access credential in most organizations or is that too far out to project?

Derricott: They will remain complimentary for the foreseeable future. IHS expects huge growth in the mobile credential market over the next five years but it is still too soon to predict when mobiles will become the standard credential. 

Gasztonyi: Mobile access is well positioned to complement existing access control systems.  However, it is still in the early adoption phase, making it challenging to predict if it will become the norm over time. As the market demand is confirmed, access control reader manufacturers will offer products that will interact with a mobile device and provide a normalized user identifier to the access control system via standard message interface, such as OSDP.

Boriskin: It’s a bit too far out to project that. Only recently did we reach a point where we are selling more smart cards than prox. There is still a significant cost an organization would have to be prepared incur if they were to provision a large staff with mobile technology.

Kane: While smartphones have become the main driver of mobile credentials, there are still several concerns associated with their use in access control solutions – namely, the overall security both cyber and physical and how to protect from internal and external threats. The industry has work to do before smartphones become a de facto access credential.

Sieracki: We are already seeing smartphones being used as credential-enabled devices in newer installations, but the question of whether or not these will become the new standard needs additional research and programming development. Smartphone operating systems are already using biometrics as a method of locking and protecting sensitive mobile data, but these operating systems have a long way to go in hardening their cyber defenses before they can be used in high-risk installations such as airports, logistics centers, labs or critical infrastructure sites.